My company was hit with a bunch of emails with suspicious attachments all at once earlier today. Unfortunately, two users opened and ran the attached files before I could send out the email alerting everyone.

I've since taken their computers off the network and ran Malwarebytes, Trendmicro worry free business solution, and windows defender all coming up with no results. So I guess the local computer doesn't have anything on it? I'm a bit wary. Does anyone have any experience or suggestions on something I missed or could do?

I want some idea of what this was since I'm concerned that whatever was installed could get at our file server since the user profiles are kept on there as well. I intend to wipe and re-image the computers in question after I've done all I can.

Check the Windows folders, local user folders, and program files (enabling hidden folders of course) and sort by date added to check for anything mysteriously added for that date.

Besides relying on antiviruses and other malware removers, I've developed the habit of checking my startup applications/processes whenever something like that happens. Some malware may go undetected, but may still install some unwanted startup processes. You could check that using the system configuration utility (msconfig) or an application like Revo or TuneUp Utilities.

Also remember to view hidden and system files when doing the search that Rob suggested. Basic stuff, but can help you catch out some offending programs on your machines. We've done this a couple of times when some of our users would follow links in unsolicited emails and Skype IMs.

The last one of these I ran into didn't get caught by the local AV program but Malwarebytes did find it. The one my users got was taking screenshots like every 5 or 10 seconds and dumping them in the user profile in a somewhat random folder (don't remember what it was named but it wasn't a random assortment of letters/numbers). You may try doing a search on the machines for out of place files/folders. That is where I would start. Although at this point now I have a quick and easy reimage process that takes me about 2 hours beginning to end so I would probably just do that if possible.

Usually Malwarebytes or any Major AV (business edition) should pick up on infections. I think you should be fine. But would not hurt to run few more scans as mentioned above. Hopefully you are running Full scans and not the Quick scan options. Use other tools to be sure.

If you don't wipe it and think you got it all still monitor network for bots just encase. make sure you know and see a normal network flow then watch the network for awhile afterwards to see if it looks unusual. We use Flowtaq to detect and monitor network.

Last one we had looked for any mapped drives or network shares the user had access to and copied itself there. It then replaced the network share with an exe file but with the mapped drive name and icon. So any user trying to open a network share installed the virus on their system.

This person is a verified professional.

Try RKill and see if there's anything that's running silently. I'd be wary too if nothing is picking it up, yet the users confessed they ran the attachments. Check the Windows folders, local user folders, and program files (enabling hidden folders of course) and sort by date added to check for anything mysteriously added for that date.

Reformatting would definitely be the best "Safe than sorry" bet if all else fails.

I reckon you don't have anything scanning incoming e-mails of viruses?

We have a checkpoint firewall that validates incoming mail. After the firewall, each email is scanned by Trendmicro WFBS. The attached files came password protected and I don't believe our system can scan those.

Call your AV support line and tell them you got some files you want checked out, for Kaspersky it takes like a hour or two for them to get back with me if they are clean or not, then they'll push out a update to your AV solution.

Check the Windows folders, local user folders, and program files (enabling hidden folders of course) and sort by date added to check for anything mysteriously added for that date.

Besides relying on antiviruses and other malware removers, I've developed the habit of checking my startup applications/processes whenever something like that happens. Some malware may go undetected, but may still install some unwanted startup processes. You could check that using the system configuration utility (msconfig) or an application like Revo or TuneUp Utilities.

Also remember to view hidden and system files when doing the search that Rob suggested. Basic stuff, but can help you catch out some offending programs on your machines. We've done this a couple of times when some of our users would follow links in unsolicited emails and Skype IMs.

0

This topic has been locked by an administrator and is no longer open for commenting.